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Abstract 

Unconditionally secure two-party bit commitment based solely on 
the principles of quantum mechanics (without exploiting special rel- 
ativistic signalling constraints, or principles of general relativity or 
thermodynamics) has been shown to be impossible, but the claim 
is repeatedly challenged. The quantum bit commitment theorem is 
reviewed here and the central conceptual point, that an 'Einstein- 
Podolsky-Rosen' attack or cheating strategy can always be applied, is 
clarified. The question of whether following such a cheating strategy 
can ever be disadvantageous to the cheater is considered and answered 
in the negative. There is, indeed, no loophole in the theorem. 



PACS numbers: 03.67.Dd, 03.65.Bz 

1 Introduction 



Over the past few years, the new fields of quantum information, quantum 
computation, and quantum cryptology have emerged as the locus of foun- 
dational research in quantum mechanics. In quantum cryptology, the main 
results have been a variety of provably secure protocols for key distribu- 
tion, following the original Bennett and Brassard (BB84) protocol H, and 
an important 'no go' theorem by Mayers [27], |2(J: the impossibility of 
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unconditionally secure two-party bit commitment based solely on the princi- 
ples of quantum mechanics (without exploiting special relativistic signalling 
constraints, or principles of general relativity or thermodynamics). The quan- 
tum bit commitment theorem generalizes previous results restricted to one- 
way communication protocols by Mayers |25] and by Lo and Chau ||19|| , and 
applies to quantum, classical, and quantum-classical hybrid schemes (since 
classical information is essentially quantum information subject to certain 
constraints). The restriction to two-party schemes excludes schemes that in- 
volve a trusted third-party or trusted channel properties, and the restriction 
to schemes based solely on the principles of quantum mechanics excludes 
schemes that exploit special relativistic signalling constraints (see below), or 
schemes that might involve time machines or black holes. 

In a key distribution protocol, the object is for two parties, Alice and Bob, 
who initially share no information, to exchange information via quantum and 
classical channels, so as to end up sharing a secret key (which they can then 
use for encryption), in such a way as to ensure that any attempt by an 
eavesdropper, Eve, to gain information about the secret key will be detected 
with non-zero probability. 

The features of quantum mechanics that allow secure key distribution 
are, essentially, the quantum 'no cloning' theorem (which makes it impossi- 
ble for Eve to copy quantum communications between Alice and Bob for later 
analysis), and the fact that nonorthogonal quantum states cannot be distin- 
guished without disturbing the states, so any information gain that depends 
on distinguishing such states must introduce some detectable disturbance. 

In a bit commitment protocol, one party, Alice, supplies an encoded bit 
to a second party, Bob. The information available in the encoding should be 
insufficient for Bob to ascertain the value of the bit, but sufficient, together 
with further information supplied by Alice at a subsequent stage when she 
is supposed to reveal the value of the bit, for Bob to be convinced that the 
protocol does not allow Alice to cheat by encoding the bit in a way that 
leaves her free to reveal either or 1 at will. 

To illustrate the idea, suppose Alice claims the ability to predict advances 
or declines in the stock market on a daily basis. To substantiate her claim 
without revealing valuable information (perhaps to a potential employer, 
Bob) she suggests the following demonstration: She proposes to record her 
prediction, before the market opens, by writing a (for 'decline') or a 1 
(for 'advance') on a piece of paper, which she will lock in a safe. The safe 
will be handed to Bob, but Alice will keep the key. At the end of the day's 
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trading, she will announce the bit she chose and prove that she in fact made 
the commitment at the earlier time by handing Bob the key. The question 
is whether there exists a quantum analogue of this procedure that is uncon- 
ditionally secure: provably secure by the laws of physics against cheating by 
either Alice or Bob. Note that Bob can cheat if he can obtain some informa- 
tion about Alice's commitment before she reveals it (which would give him 
an advantage in repetitions of the protocol with Alice). Alice can cheat if 
she can delay actually making a commitment until the final stage when she 
is required to reveal her commitment, or if she can change her commitment 
at the final stage with a very low probability of detection. 

The importance of quantum bit commitment as a cryptological primitive 
arises because of its relation to other cryptological protocols. Lo |22j has 
argued that the impossibility of unconditionally secure quantum bit com- 
mitment implies the impossibility of secure quantum one-sided two-party 
computations, and hence the impossibility of secure quantum one-out-of-two 
oblivious transfer. It is easy to see that a remote coin tossing procedure, in 
which neither party can cheat, would be possible if secure bit commitment 
were possible, which would allow unconditionally secure remote gambling 
(gambling over the internet, for example). But note that a procedure for 
remote fair games has been proposed by Goldenberg, Vaidman, and Wies- 
rjfl, so this is a weaker protocol than bit commitment. 
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Bennett and Brassard originally proposed a quantum bit commitment 
protocol in 0]. The basic idea was to associate the and 1 commitments 
with two statistically equivalent quantum mechanical mixtures (represented 
by the same density operator). As they showed in the same paper, Alice can 
cheat by adopting an 'Einstein-Podolsky-Rosen' (EPR) attack or cheating 
strategy: she prepares entangled pairs of particles, keeps one of each pair 
(the ancilla) and sends the second particle (the channel particle) to Bob. 
In this way she can fake sending one of two equivalent mixtures to Bob and 
reveal either bit at will at the opening stage by effectively creating the desired 
mixture via appropriate measurements on her ancillas. Bob cannot detect 
this cheating strategy. 

In a later paper [[?J, Brassard, Crepeau, Josza, and Langlois proposed 
a bit commitment protocol that they claimed to be unconditionally secure. 
The BC JL scheme was first shown to be insecure by Mayers p4| , p5| . Subse- 
quently, Mayers [27] and Lo and Chau |19|] independently showed that a 



large class of quantum bit commitment schemes are insecure. Lo and Chau 
presented their result in |jl9i as applicable only to all proposed quantum bit 
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commitment schemes, including the BCJL scheme (for which they relied on 
Mayers' extended analysis in [25]). But as Mayers showed in |26], p7| , the 
insight of Bennett and Brassard in || can be extended to a proof that a gen- 
eralized version of the EPR cheating strategy can always be applied, if the 
Hilbert space is enlarged in a suitable way by introducing additional ancilla 



particles. Following Mayers, a similar result is proved in Lo and Chau pO 
where the operative assumption is that both Alice and Bob have available 
quantum computers of unlimited power and are capable of storing quantum 
signals indefinitely. 

Mayers' analysis in [^J explicitly models the exchange of quantum and 
classical information in two-way quantum bit commitment protocols via a 
'direct' approach. For an interesting 'indirect' or 'reduction' approach, see 
II ||, |lOfl . Classical information can be understood as a type of quantum 
information with additional constraints. The distinction between classical 
and quantum information was always explicit in the analysis of proposed 
quantum bit commitment protocols According to Mayers (personal commu- 
nication), this explains why researchers failed to see the general impossibility 
of quantum bit commitment, even after the basic mathematical result, which 
is valid in a purely quantum world, was known. 

The negative results of Mayers and Lo and Chau came as a surprise and 
were received with dismay by the quantum cryptology community. The proof 
of the basic theorem, which exploits the biorthogonal decomposition theo- 
rem, is remarkably simple, but the impossibility of secure bit commitment 
based solely on the principles of quantum (or classical) mechanics has pro- 
found consequences. Indeed, it would not be an exaggeration to say that 
the significance of the quantum bit commitment theorem is comparable to 
Bell's locality theorem 0] for quantum mechanics. Brassard and Fuchs have 
speculated (private communication and |T2||) that quantum mechanics can 
be derived from two postulates about quantum information: the possibility 
of secure key distribution and the impossibility of secure bit commitment. 
That is, in a quantum world the communication of information is character- 
ized precisely in this way in terms of a limited sort of privacy. 

Perhaps because of the simplicity of the proof and the universality of the 
claim, the quantum bit commitment theorem is continually challenged in the 



literature (see, for example, JET], [28L |3T|), on the basis that the proof does not 



cover all possible procedures that might be exploited to implement quantum 
bit commitment. There seems to be a general feeling that the theorem is 
'too good to be true' and that there must be a loophole. 
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In fact, there is no loophole. While Kent \TE, 17] has shown how to im- 
plement a secure classical bit commitment protocol by exploiting relativistic 
signalling constraints in a timed sequence of communications between veri- 
fiably separated sites for both Alice and Bob, and Hardy and Kent |14]] and 
Aharonov, Ta-Shma, Vazirani, and Yao J| have investigated the security of 
'cheat-sensitive' or 'weak' versions of quantum bit commitment, these results 
are not in conflict with the quantum bit commitment theorem. In a bit com- 
mitment protocol as usually construed, there is a time interval of arbitrary 
length, where no information is exchanged, between the end of the commit- 
ment stage of the protocol and the opening or unveiling stage, when Alice 
reveals the value of the bit. Kent's ingenious scheme effectively involves a 
third stage between the commitment stage and the unveiling stage, in which 
information is exchanged between Bob's sites and Alice's sites at regular in- 
tervals until one of Alice's sites chooses to unveil the originally committed 
bit. At this moment of unveiling the protocol is not yet complete, because 
a further sequence of unveilings is required between Alice's sites and corre- 
sponding sites of Bob before Bob has all the information required to verify 
the commitment at a single site. If a bit commitment protocol is understood 
to require an arbitrary amount of 'free' time between the end of the commit- 
ment stage and the opening stage (in which no step is to be executed in the 
protocol), then the quantum bit commitment theorem covers protocols that 
exploit special relativistic signalling constraints. (I am indebted to Dominic 
Mayers for clarifying this point.) The aim of the following discussion will be 
to clarify the underlying logic of the proof, and especially the crucial signifi- 
cance of the assumption that both parties can be assumed to have access to 
quantum computers, so that a (generalized) EPR cheating strategy is always 
possible. 

In Section 2, I review the structure of the proof and show how any step in 
a bit commitment protocol that requires Alice or Bob to make a determinate 
choice (whether to perform one of a number of alternative measurements, 
or whether to implement one of a number of alternative unitary transforma- 
tions) can always be replaced by an EPR cheating strategy in the generalized 
sense, assuming that Alice and Bob are both equipped with quantum com- 
puters. That is, a classical disjunction over determinate possibilities — this 
operation or that operation — can always be replaced by a quantum entan- 
glement and a subsequent measurement (perhaps at a more convenient time 
for the cheater) in which one of the possibilities becomes determinate. Es- 
sentially, the classical disjunction is replaced by a quantum disjunction. This 
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cheating strategy cannot be detected. Similarly, a measurement can be 'held 
at the quantum level' without detection: instead of performing the measure- 
ment and obtaining a determinate outcome as one of a number of possible 
outcomes, a suitable unitary transformation can be performed on an enlarged 
Hilbert space, in which the system is entangled with a 'pointer' ancilla in 
an appropriate way, and the procedure of obtaining a determinate outcome 
(which involves decoherence, or the 'collapse' of the quantum state onto an 
eigenstate of the observable measured) can be delayed. The possibility of 
keeping the series of transactions between Alice and Bob at the quantum 
level by enlarging the Hilbert space, until the final exchange of classical in- 
formation when Alice reveals her commitment, is the crucial insight that 
underlies Mayers' general proof. In John Smolin's whimsical terminology, 
this is the doctrine of the Church of the Larger Hilbert Space: the belief that 
a fully quantum treatment can always be obtained by extending the Hilbert 
space. 

If it can be assumed that a measurement has in fact been performed and 
a determinate outcome obtained, then secure bit commitment is possible. 
This is tantamount to assuming that an EPR cheating strategy is blocked. 
Since there is no way to distinguish whether the protocol has been followed 
or replaced by an EPR cheating strategy, it would seem that there is no way 
to ensure that a measurement has in fact been performed and a determinate 
outcome recorded. 

But how do we know that there is no bit commitment protocol of the 
following sort: Suppose, at some stage of the protocol, Bob (say) is required 
to perform one of two alternative measurements, X or Y, chosen at random. 
If Bob actually chooses one of X or Y, and actually performs the measure- 
ment and obtains a determinate outcome, then the protocol is secure against 
cheating by both parties. If Bob implements an EPR strategy and keeps the 
choice and the measurement at the quantum level, then it turns out that 
Alice has a greater probability of cheating successfully than Bob. If there 
were such a protocol, then even though Bob could implement an EPR strat- 
egy without detection, he would effectively be forced to make the choice and 
carry out the measurement, since he would not choose to put himself in a 
weaker position relative to Alice over the long run in a series of bit commit- 
ment transactions. In Section 3, I show that the possibility of such a protocol 
is blocked by the theorem itself. That is, adopting an EPR cheating strategy 
is never disadvantageous to the cheater. 
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2 The Bit Commitment Theorem 



Any bit commitment scheme will involve a series of transactions between 
Alice and Bob, where a certain number, n, of quantum systems — the 'chan- 
nel particles' — are passed between them and subjected to various operations 
(unitary transformations, measurements), possibly chosen randomly. I show 
now how these operations can always be replaced, without detection, by en- 
tangling a channel particle with one or more ancilla particles that function 
as 'pointer' particles for measurements or 'dice' particles for random choices. 
This is the (generalized) EPR cheating strategy. 

Suppose, at a certain stage of a bit commitment protocol, that Bob is re- 
quired to make a random choice between measuring one of two observables, X 
or Y, on each channel particle he receives from Alice. For simplicity, assume 
that X and Y each have two eigenvalues, x±, x<i and yi, y<i- After record- 
ing the outcome of the measurement, Bob is required to return the channel 
particle to Alice. When Alice receives the z'th channel particle she sends 
Bob the next channel particle in the sequence. We may suppose that the 
measurement outcomes that Bob records form part of the information that 
enables him to confirm Alice's commitment, once she discloses it (together 
with further information), so he is not required to report his measurement 
outcomes to Alice until the final stage of the protocol when she reveals her 
commitment. 

Instead of following the protocol, Bob can construct a device that entan- 
gles the input state \ip)c of a channel particle with the initial states, |do)s 
and \po)b, of two ancilla particles that he introduces, the first of which func- 
tions as a 'quantum die' for the random choice and the second as a 'quantum 
pointer' for the measurement. It is assumed that Bob's ability to construct 
such a device — a special purpose quantum computer — is restricted only by 
the laws of quantum mechanics. The entanglement is implemented by a 
unitary transformation in the following way:[] Define two unitary transfor- 
mations, Ux and Uy, that implement the X and Y measurements 'at the 
quantum level' on the tensor product of the Hilbert space of the channel 

1 Note that there is no loss of generality in assuming that the channel particle is in a 
pure state. If the channel particle is entangled with Alice's ancillas, the device implements 
the entanglement via the transformation /(g) • • ■, where I is the identity operator in the 
Hilbert space of Alice's ancillas. 
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particle, Tic, and the Hilbert space of Bob's pointer ancilla, Hb(p)' 

\xi)c\po)b \xi)c\pi)b 

\x 2 )c\Po)b \x 2 )c\P2)B (1) 



and 



\V\)c\po)b ^ \vi)c\pi)b 

\Vz)c\po)b \y2)c\p2)B (2) 



so that 
and 



W)c\pq)b (xM)\xi)c\p\)b + {x 2 \^)\x 2 )c\P2)b (3) 

W)c\Pq)b (yM\yi)c\pi)B + {y2\^)\V2)c\p2)B (4) 

The random choice is defined similarly by a unitary transformation V on 
the tensor product of the Hilbert space of Bob's die ancilla, Hb(d), and the 
Hilbert space He ®Hb(p)- Suppose \dx) and \dy) are two orthogonal states 
in Hb(d) and that \d ) = \ dx) + ^\dy)- Then (suppressing the obvious 
subscripts) V is defined by: 

\dx)®\*l>)\po) \dx)®U x \i/))\Po) 

\dy) ® \il>)\Po) \d Y ) ® Uy\^)\ Po ) (5) 

so that 

K> ® MPo) 

^Mx) ® C/x|^)bo> + ^=\d Y ) ® U Y \i>)\p ) (6) 

where the tensor product symbol has been introduced selectively to indicate 
that U x and U y are defined on He ®Hb{p)- 

If Bob were to actually choose the observable X or Y randomly, and 
actually perform the measurement and obtain a particular eigenvalue, Alice's 
density operator for the channel particle would be: 



Mxm 2 \*l)(*l\ + \(*2\m*2)(X2\) 



i(i(2/ii^)i 2 i?/i)(yii + i(i/2i^)rb2)(?/ 2 i) (7) 



assuming that Alice does not know what observable Bob chose to measure, 
nor what outcome he obtained. But this is precisely the same density oper- 
ator generated by tracing over Bob's ancilla particles for the state produced 
in (H). In other words, the density operator for the channel particle is the 
same for Alice, whether Bob randomly chooses which observable to measure 
and actually performs the measurement, or whether he implements an EPR 
cheating strategy with his two ancillas that produces the transition (^) on 
the enlarged Hilbert space. 

If Bob is required to eventually report what measurement he performed 
and what outcome he obtained, he can at that stage measure the die ancilla 
for the eigenstate \dx) or \dy), and then measure the pointer ancilla for 
the eigenstate \pi) or \p 2 ). In effect, if we consider the ensemble of possible 
outcomes for the two measurements, Bob will have converted the 'improper' 
mixture generated by tracing over his ancillas to a 'proper' mixture. But 
the difference between a proper and improper mixture is undetectable by 
Alice since she has no access to Bob's ancillas, and it is only by measuring 
the composite system consisting of the channel particle together with Bob's 
ancillas that Alice could ascertain that the channel particle is entangled with 
the ancillas. 

In fact, if it were possible to distinguish between a proper and improper 
mixture, it would be possible to signal superluminally: Alice could know 
instantaneously whether or not Bob performed a measurement on his ancillas 
by monitoring the channel particles in her possession. Note that it makes no 
difference whether Bob or Alice measures first, since the measurements are 
of observables in different Hilbert spaces, which therefore commute. 

Clearly, a similar argument applies if Bob is required to choose between 
alternative unitary operations at some stage of a bit commitment protocol. 
Perhaps less obviously, an EPR cheating strategy is also possible if Bob is 
required to perform a measurement or choose between alternative operations 
on channel particle i + conditional on the outcome of a prior measurement 
on channel particle i, or conditional on a prior choice of some operation from 
among a set of alternative operations. Of course, if Bob is in possession of all 
the channel particles at the same time, he can perform an entanglement with 
ancillas on the entire sequence, considered as a single composite system. 
But even if Bob only has access to one channel particle at a time (which 
he is required to return to Alice after performing a measurement or other 
operation before she sends him the next channel particle), he can always 
entangle channel particle i + 1 with the ancillas he used to entangle channel 
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particle i. 

For example, suppose Bob is presented with two channel particles in se- 
quence. He is supposed to decide randomly whether to measure X or Y on 
the first particle, perform the measurement, and return the particle to Alice. 
After Alice receives the first particle, she sends Bob the second particle. If 
Bob measured X on the first particle and obtained the outcome Xi, he is 
supposed to measure X on the second particle; if he obtained the outcome 
X2, he is supposed to measure Y on the second particle. If he measured Y on 
the first particle and obtained the outcome yi, he is supposed to apply the 
unitary transformation U\ to the second particle; if he obtained the outcome 
y 2 , he is supposed to apply the unitary transformation U 2 - After performing 
the required operation, he is supposed to return the second particle to Alice. 

It would seem at first sight that Bob has to actually perform a measure- 
ment on the first channel particle and obtain a particular outcome before he 
can apply the protocol to the second particle, given that he only has access 
to one channel particle at a time, so an EPR cheating strategy is excluded. 
But this is not so. Bob's strategy is the following: He applies the EPR strat- 
egy discussed above for two alternative measurements to the first channel 
particle. For the second channel particle, he applies the following unitary 
transformation on the tensor product of the Hilbert spaces of his ancillas 
and the channel particle, where the state of the second channel particle is 
denoted by \(f>), and the state of the pointer ancilla for the second channel 
particle is denoted by \q Q ) (a second die particle is not required): 

|rfx)bi>|0)ko) ^\dx)\pi)®U x \<f>)\qo) 

\dx)\p2)\<t>)\qo) ^ \dx)\p 2 ) <8> U Y \(/))\qo) 
\dy)\ P i)\(f>)\qo) ^ \d Y )\pi) ® W> ® |So> 
\dv)\p2)\4>)\qo) ^ \d Y )\p2) ® U 2 \<f>) \q ) (8) 

Since an EPR cheating strategy can always be applied without detection, 
the proof of the bit commitment theorem assumes that at the end of the 
commitment stage the composite system consisting of Alice's ancillas, the n 
channel particles, and Bob's ancillas will be represented by some composite 
entangled state |0) or |1), depending on Alice's commitment, on a Hilbert 
space Ha <S> Ti-B, where T~La is the Hilbert space of the particles in Alice's 
possession at that stage (Alice's ancillas and the channel particles retained by 
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Alice, if any), and Hb is the Hilbert space of the particles in Bob's possession 
at that stage (Bob's ancillas and the channel particles retained by Bob, if 
any). 

Now, the density operators Wb{0) and Wb(1) characterizing the infor- 
mation available to Bob for the two alternative commitments are obtained 
by tracing the states |0) and |1) over Ha- If these density operators are the 
same, then Bob will be unable to distinguish the 0-commitment from the 
1-commitment without further information from Alice. In this case, the pro- 
tocol is said to be 'concealing.' What the proof establishes, by an application 
of the biorthogonal decomposition theorem, is that if Wb(0) = Wb(1) then 
there exists a unitary transformation in Ha that will transform |0) to |1). 
That is, if the protocol is 'concealing' then it cannot be 'binding' on Alice: 
she can always make the 0-commitment and follow the protocol (with ap- 
propriate applications of an EPR strategy) to establish the state |0). At the 
final stage when she is required to reveal her commitment, she can change 
her commitment if she chooses, depending on circumstances, by applying a 
suitable unitary transformation in her own Hilbert space to transform |0) to 
|1) without Bob being able to detect this move. So either Bob can cheat 
by obtaining some information about Alice's choice before she reveals her 
commitment, or Alice can cheat. 

The essentials of the proof can be sketched as follows: In the biorthogonal 
(Schmidt) decomposition, the states |0) and |1) can be expressed as: 

|o> = EV5k>lfc> 

i 

|i> = EV^KW 0) 

j 

where {|aj)}, { |a^) } are two orthonormal sets of states in Ha, and {\b'j)} 
are two orthonormal sets in Hb- 

The density operators Wb(0) and Wb(1) are defined by: 

W B (0)=Tr A \0)(0\ = E c ^X fe *l 

i 

W B (l)=Tr A \l}(l\ = 

j 

Bob can't cheat if and only if Wb(0) = Wb(1)- Now, by the spectral 
theorem, the decompositions: 

w B (o) = EqI^i 
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w B {i) = E4IW 

are unique. For the nondegenerate case, where the q are all distinct and the 
c'j are all distinct, the condition W B (0) = W B (1) implies that for all k: 

Ck = c' k 

\h) = \b' k ) (11) 

and so 

|0> = Ev^|a*)l&fc) 

k 

|1> = Ev^K)IM (12) 
It follows that there exists a unitary transformation U G Ha such that 

{k» (14)} (is) 

and hence 

|0) |1) (14) 

The degenerate case can be handled in a similar way. Suppose that C\ = 
C2 = c' x = c' 2 = c. Then \b 2 ) and |6^), |b' 2 ) span the same subspace Ti in 
Hb, and hence (assuming the coefficients are distinct for k > 2: 

|0) = v /£(|a 1 )|& 1 ) + |a 2 )|6 2 )) + Ev / ^l«fc)l^) 

fc>2 

|1) = v^(K)l&'i) + 14) l^>) + EV£K>l&*> 

fc>2 

= v^l&i) + KW + Ev^K)l^ (i5) 

fc>2 

where ja"), |a 2 ) are orthonormal states spanning 7i. Since {\a'(), |a 2 ), |a 3 ), . . .} 
is an orthonormal set in Ti^, there exists a unitary transformation in Ti^ that 
transforms {|afc)} to {la"), |a- 2 )> K3)' ■ ■ ■}> an( l hence |0) to |1) 

The extension of the theorem to the nonideal case, where Wb(0) 
W_b(1), so that there is a small probability of Bob distinguishing the alterna- 
tive commitments, shows that Alice has a correspondingly large probability 
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of cheating successfully: there exists a U that will transform Wb{0) suffi- 
ciently close to Wb(1) so that Bob has a very small probability of making 
the distinction. 

The heart of the mathematical proof is the biorthogonal decomposition 
theorem. But the essential conceptual insight is the possibility of enlarging 
the Hilbert space and implementing an EPR strategy without detection. 
This raises the following question, considered in the next section: Suppose 
Bob cannot cheat because Wb{0) = Wb(1), so by the theorem there exists 
a unitary transformation U in Ti,A that will transform |0) to |1). Could 
there be a protocol in which Alice also cannot cheat because, although there 
exists a suitable unitary transformation U, she cannot know what unitary 
transformation to apply? In the next section we shall see that this is indeed 
the case, but only if U depends on Bob's operations, which are unknown to 
Alice. But then Bob would have to actually make a determinate choice or 
obtain a determinate outcome in a measurement, and he could always avoid 
doing so without detection by applying an EPR strategy. The remaining 
question would seem to be whether he might choose to avoid an EPR strategy 
in a certain situation because it would be disadvantageous to him. How do 
we know that following an EPR strategy is never disadvantageous? 

3 A Possible Loophole? 

The question at issue in this section is whether applying an EPR cheating 
strategy can ever be disadvantageous to the cheater. Note that the standard 
approach in cryptology is to consider the possibility of cheating against an 
honest opponent. Here we are considering the question of whether a quantum 
bit commitment protocol exists with the feature that one of the parties would 
forego a certain cheating strategy, because the opposing party would be able 
to cheat by taking advantage of such a move. So, strictly speaking, this 
would not be considered a loophole in the quantum bit commitment theorem, 
even if we could identify such a protocol. Nevertheless, this 'game-theoretic' 
extension of the usual notion is certainly relevant to the issue of security. 

To focus the question, it will be worthwhile to consider a particular pro- 
tocol based on the Aharonov-Bergmann-Lebowitz notion of pre- and post- 
selected quantum states If (i) Alice prepares a system in a certain state 
| pre) at time t\, (ii) Bob measures some observable Q on the system at time 
t 2 , and (iii) Alice measures an observable of which |post) is an eigenstate at 
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time £ 3 , and post-selects for |post), then Alice can assign probabilities to the 
outcomes of Bob's Q-measurement at t 2 , conditional on the states |pre) and 
I post) at times t\ and £3, respectively, as follows: 

1 / x I (pre I P k I post) | 2 

probfe) = m^m^w (16) 

where Pi is the projection operator onto the z'th eigenspace of Q. Notice 
that the ABL-rule is time- symmetric, in the sense that the states |pre) and 
I post) can be interchanged, so these states are sometimes referred to as time- 
symmetric states. 

If Q is unknown to Alice, she can use this 'ABL-rule' to assign proba- 
bilities to the outcomes of various hypothetical Q-measurements. The in- 
teresting peculiarity of the ABL-rule, by contrast with the usual Born rule 
for pre-selected states, is that it is possible — for an appropriate choice of ob- 
servables Q, Q', . . . , and states |pre) and |post) — to assign unit probability 
to the outcomes of a set of mutually noncommuting observables. That is, 
Alice can be in a position to assert a conjunction of conditional statements 
of the form: 'If Bob measured Q, then the outcome must have been qi, with 
certainty, and if Bob measured Q', then the outcome must have been q'j, with 
certainty, . . . ,' where Q, Q', . . . are mutually noncommuting observables. 

A case of this sort has been discussed by Vaidman, Aharonov, and Al- 
bert |30]]> where the outcome of a measurement of any of the three spin 
components a x , a y , a z of a spin-| particle can be inferred from an appropri- 
ate pre- and post-selection. Alice prepares a pair of particles, A and C, in 
the Bell state: 

\ W e) = ^=i\] z ) A \] z ) c +\[ z ) A \[ z ) c (17) 

where | ] z ) and | [ z ) denote the <T 2 -eigenstates. Alice sends the channel 
particle C to Bob and keeps the ancilla A. Bob measures either a x , or a y , 
or a z on the channel particle and returns the channel particle to Alice. Alice 
then measures an observable R on the pair of particles, where R has the 
eigenstates: 

In) = + L)e™ /i +\i z )\] z )e-^) (18) 

|r 2 > = ^lUIU-^IUIDe^ + IUlUe-/ 4 ) (19) 
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I r 3) 

|r 4 ) 
Note that: 



^IUIU + 2dt,)IUe- i7r/4 + |l,)IUe i7r/4 ) 
^1 L>l L) " 5(1 U)\ We- i7r/4 + I U>| U)e m/4 ) 



I pre; 



1 
1 

71 



(IT*)IT*) + U*)U*> 
(IUIU + IUIU 



^(lTy)Uy> + IUTv> 
~(|?"i) + \r 2 ) + |r 3 ) + |r 4 )) 



(20) 
(21) 

(22) 
(23) 
(24) 
(25) 



Alice can now assign values to the outcomes of Bob's spin measurements 
via the ABL-rule, whether Bob measured a x , a y , or a z , based on the post- 
selections \ri), |r 2 ), |r 3 ), or |r 4 ), according to Table [I]. 





Ox 


Oy 




n 


T 


T 


T 




I 


1 


T 




T 


1 


1 


r 4 


I 


T 


1 



Table 1: a x , a yi a z measurement outcomes correlated with eigenvalues of R 

Consider, now, the following protocol for bit commitment based on the 
Vaidman-Aharonov-Albert case. Alice prepares n copies of the Bell state 
I pre) = ] z )a\ ]z)c + I Iz)a\ iz)c- She keeps the ancillas and sends 
the channel particles to Bob in sequence. Bob measures either a x , a y , or 
<t z chosen randomly on a channel particle, records the outcome, and returns 
the particle to Alice before she sends him the next channel particle in the 
sequence. Alice measures the observable R on each channel particle she 
receives back from Bob. 

The commitment is made as follows: After the sequence of measurements, 
Bob announces the indices in the sequence for which he obtained a 'f out- 
come for his measurements (without announcing whether he measured a x , 
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Uy, or <j z ). The remaining elements in the sequence are discarded. Alice 
can now divide the |-sequence into two subsequences of approximately equal 
length (for large n): the subsequence Si for which she obtained the outcome 
r\ for R, and the complementary subsequence S234 for which she obtained 
the outcome r2, r%, or r^. If Alice commits to 0, she announces the indices of 
the subsequence S234 and proves her commitment at the final stage, when she 
reveals her commitment, by her ability to announce (from Table [I]), for each 
element in the subsequence, the observable that Bob measured, either a x , a y , 
or o z . If she commits to 1, she announces the indices of the subsequence Si 
and proves her commitment by her ability to announce, for each element in 
the complementary subsequence S234, the observable that Bob measured. 

At first sight, it might appear that this protocol is not of the sort covered 
by the bit commitment theorem. To see that it is, suppose that instead of 
following the protocol and actually choosing one of a x , a y , or a z , performing 
the measurement, and obtaining a determinate outcome, Bob implements 
an EPR cheating strategy with a quantum die ancilla with three orthogonal 
states \d x ), \d y ), \d z ) corresponding to the choice of spin observable a x , <7 y , 
a z . Then the state of the composite system consisting of Alice's ancilla, the 
channel particle, and Bob's die and pointer ancillas is: 

+ -^|gQ B (-^| T»}a| iy)c\P[)B + -j=\ I v )a\ Wo\P[)b) 

+ 4= U)a\ U)c\pi)b + ^1 U)a\ U)c\pi)b) (26) 

To announce '|,' Bob measures the pointer ancilla for or p^, which 
projects onto: 

I T) = \P^B—7=(\d x ) B \ U)a\ U)c + \d y ) B \ Iv)a\ ]y)c + \d z ) B \ ]z)a\ ]z)c) 



V3 V 



(27) 



or 



I I) = \Pl)B^(\d x ) B \ U)a\ ix)c + \d y ) B \ ] V )a\ iy)c + \d g ) B \ [z)a\ iz)6) 

(28) 

with probability \. Note that this enables Bob to announce the £ f out- 
comes without actually measuring o~ x , o~ y , or a J In effect, he has a quantum 
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computer that computes 'f or 'J,' for the quantum disjunction l a x or o y or 
The state | f) can be expressed in terms of f?-eigenstates: 

' ^ = 7^71 ^ A + 71 \ r *) A )\ d *) B \pi) B 
11 i 
+ 73^7f' ri ^ + 71 ^ a ^ b ^ b 

+ -L(-L\ ri ) A + -L\r 2 ) A )\d z ) B \ P] ) B (29) 



and rewritten as: 



I T) = ^\ri)A(^\d x ) B + -^\ d v) B + ^K)b)|pt)b 

+ ^ k3>A|4)s + ^=|r 4 )A|dv)B + ^HaKMIpt) ( 30 ) 

Evidently, after Alice measures the observable i? on the channel particles 
in the £ f subsequence and announces either the subsequence S234 for which 
she obtained the eigenvalues r 2 , r 3 , or r 4 corresponding to the O-commitment, 
or the subsequence S\ for which she obtained the eigenvalue T\ correspond- 
ing to the 1-commitment, Bob's density operator for the channel particles 
(obtained by tracing over Alice's ancillas and Bob's ancillas) will be either: 

W B (0) = ^(\d x ) BB (d x \ + \d y ) BB (d y \ + \d z ) BB (d z \) (31) 
for the subsequence 6*234, or: 

W B (1) = ^(\d X ) B + \dy) B + \d Z ) B )( B (d X \ + B (dy\ + B (d Z \) (32) 

for the subsequence Si. (More precisely, these are the density operators for 
a single channel particle. The density operator for the sequence of channel 
particles is in each case a tensor product of the relevant operator over the 
elements of the sequence.) But these density operators are distinguishable: 
Wo is the density operator of an equal weight mixture of pure states \d x ) B , 
\d y ) B , and \d z ) B , while W\ is the density operator of the pure state -^\d x ) B + 
~jz\dy)B + ^\d z ) B . So Bob can cheat — the protocol is insecure. 
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Now, suppose we assume that Bob is forced to make a determinate choice 
of which spin component observable to measure for each channel particle, 
and actually perform the measurements and record the outcomes. Then it is 
clear that both subsequences Si and 5 2 34 will be characterized by the same 
equal weight mixture of pure states \cI x )b, \dy)B, and \cI z )b- So Bob cannot 
cheat. But Alice cannot cheat either. Of course, by the bit commitment the- 
orem, since Alice is in possession of all the channel particles at the final stage 
when she is required to reveal her commitment, there exists a unitary trans- 
formation in Alice's Hilbert space (which now includes the channel particles) 
that will transform the states of the ancilla-channel pairs to i?-eigenstates 
that conform to Bob's measurement outcomes. But this unitary transforma- 
tion depends on the outcomes of Bob's measurements, which are unknown 
to Alice. Essentially, Alice would have to transform the state \r±) for each 
element in the declared subsequence or the complementary subsequence to 
the state |r 2 ), |r 3 ), or |r 4 ), corresponding to Bob's measurement outcome 
for that element, in order to successfully change her commitment without 
Bob being able to detect her cheating. There exists a unitary transformation 
that Alice can implement to achieve this result, but she cannot know what 
unitary transformation to employ. So the protocol is secure, subject to the 
assumption that Bob cannot apply an EPR cheating strategy. 

The question raised at the beginning of this section can now be put more 
concretely. In the above protocol, if Bob is honest and does not apply an EPR 
strategy, then neither party can cheat. If he applies the strategy, then he 
gains the advantage. Can there be a bit commitment protocol that is similar 
to the above protocol, except that the application of an EPR strategy by Bob 
at a certain stage of the protocol would give Alice the advantage, rather than 
Bob, while conforming to the protocol would ensure that neither party could 
cheat? If there were such a protocol, then Bob would, in effect, be forced 
to conform to the protocol and avoid the EPR strategy, and unconditionally 
secure bit commitment would be possible. 

In fact, the impossibility of such a protocol follows from the theorem itself. 
Suppose there were such a protocol. That is, suppose that if Bob applies an 
EPR strategy then Wb(0) = W#(l), so by the theorem there exists a unitary 
transformation U in Alice's Hilbert space that will transform |0) to |1). Alice 
must know this U because it is uniquely determined by Bob's deviation from 
the protocol according to an EPR strategy that keeps all disjunctions at the 
quantum level as linear superpositions. Suppose also that if, instead, Bob is 
honest and follows the protocol (so that there is a determinate choice for every 
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disjunction over possible operations or possible measurement outcomes), then 
Wb(0) = Wb(1), but the unitary transformation in Alice's Hilbert space that 
allows her to transform |0) to |1) depends on Bob's choices or measurement 
outcomes, which are unknown to Alice. 

Now the crucial point to note is that the information available in Al- 
ice's Hilbert space must be the same whether Bob follows the protocol and 
makes determinate choices and obtains determinate measurement outcomes 
before Alice applies the unitary transformation U that transforms |0) to |1), 
or whether he deviates from the protocol via an EPR strategy in which he 
implements corresponding entanglements with his ancillas to keep choices 
and measurement outcomes at the quantum level before Alice applies the 
transformation U, and only makes these choices and measurement outcomes 
determinate at the final stage of the protocol by measuring his ancillas. There 
can be no difference for Alice because Bob's measurements on his ancillas and 
any measurements or operations that Alice might perform take place in dif- 
ferent Hilbert spaces, so the operations commute. If Alice's density operator 
(obtained by tracing over Bob's ancillas), which characterizes the statistics 
of measurements that Alice can perform in her part of the universe, were 
different depending on whether or not Bob actually carried out the required 
measurements, as opposed to keeping the alternatives at the quantum level 
by implementing corresponding entanglements with ancillas, then it would be 
possible to use this difference to signal superluminally. Actual measurements 
by Bob on his ancillas that selected alternatives in the entanglements as de- 
terminate would instantaneously alter the information available in Alice's 
part of the universe. 

It follows that in the hypothetical bit commitment protocol we are consid- 
ering, the unitary transformation U in Alice's Hilbert space that transforms 
|0) to |1) must be the same transformation in the honest scenario as in the 
cheating scenario. But we are assuming that the transformation in the honest 
scenario is unknown to Alice and depends on Bob's measurement outcomes, 
while the transformation in the cheating scenario is unique and known to 
Alice. So there can be no such protocol: the deviation from the protocol by 
an EPR strategy can never place Bob in a worse position than following the 
protocol honestly. 

The argument can be put formally in terms of the theorem as follows: 
The cheating scenario produces one of two alternative pure states |0) c or |l) c 
in Ha <8> T~Lb ('c' for 'cheating strategy). Since the reduced density operators 



19 



in Hb- 



W B C) (0) = Tr A \0) t 



W B c \l) = Tr A \l) cc {\\ (33) 
are required by assumption to be the same: 

W B c) (0) = W B c \l) (34) 
the states |0) c and |l) c can be expressed in biorthogonal decomposition as: 

|0) c = YlVci\ a i)\ b i) 

i 

|l)c = Ev^lOI^) (35) 

i 

where the reduced density operators in Ha- 

^i c) (0) = Tr B |0) cc (0| = Yl\ c i\ a i)( a i\ 

% 

^i c) (l) = Tr B |l) cc (l| = (36) 



are different: 



W%\o)^W A c \l) (37) 



It follows that there exists a unitary operator U c G T~Ca defined by the 
spectral representations of W A \o) and W A \l): 

{K>} {K>} (38) 

such that: 

|0) c ^]l) c (39) 

The honest scenario produces one of two alternative pure states [0)^ and 
\l)h in 'Ha®'Hb 0^' f° r 'honest scenario'), where the pair {]0)^, \l)h\ depends 
on Bob's choices and the outcomes of his measurements. 

By assumption, as in the cheating scenario, the reduced density operators 
W B h) (0) and W B h \l) in H B are the same: 

W B h) (0) = W { B \l) (40) 
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which entails the existence of a unitary operator U h e Ha such that: 



|0>* 




(41) 



where Uh depends on Bob's choices and measurement outcomes. 

Now, the difference between the honest scenario and the cheating scenario 
is undetectable in Ha, which means that the reduced density operators in 
Ha are the same in the honest scenario as in the cheating scenario: 



Since Uh is defined by the spectral representations of W A (0) and W A (1), 
it follows that Uh = U c . But we are assuming that Uh depends on Bob's 
choices and measurement outcomes, while U c is uniquely defined by Bob's 
EPR strategy, in which there are no determinate choices or measurement 
outcomes. Conclusion: there can be no bit commitment protocol in which 
neither Alice nor Bob can cheat if Bob honestly follows the protocol, but 
Alice can cheat if Bob deviates from the protocol via an EPR strategy. If 
neither Bob nor Alice can cheat in the honest scenario, then Bob and not 
Alice must be able to cheat in the cheating scenario. 

A similar argument rules out a protocol in which neither party can cheat if 
Bob is honest (as above), but if Bob follows an EPR strategy, then Wb{0) ~ 
Wb(1), so Bob has some probability of cheating successfully, but Alice has 
a greater probability of cheating successfully than Bob. Again, the unitary 
transformation U c that would allow Alice to cheat with a certain probability 
of success if Bob followed an EPR strategy would also have to allow Alice 
to cheat successfully if Bob were honest. But the supposition is that Alice 
cannot cheat if Bob is honest, because the unitary transformation Uh in 
that case depends on Bob's choices and measurement outcomes, which are 
unknown to Alice. It follows that there can be no such protocol. 

So there is no loophole - not even in the extended sense: following an 
EPR cheating strategy can never be disadvantageous to the cheater. Un- 
conditionally secure quantum bit commitment (in the sense of the theorem) 
really is impossible. 



W A h \l) 



W A C \0) 
W A c \l) 



(42) 
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